12

We are often advised, or required, to compose passwords containing all of the following: numerals, lower case letters, upper case letters and some special characters. In my view this is not the best advice.

Assuming we need need 80 bits of entropy in our password, that can be achieved in the following ways: 16 random single-case alphanumeric characters; 14 random two-case alphanumeric characters; or 13 printable ASCII characters

My contention is that it is easier to type two or three extra single case alphanumeric characters than it is to be repeatedly manipulating the the case shift key and to be searching around the keyboard for special characters.

Peter
  • 987
  • 2
  • 9
  • 12
  • 3
    By adding ANY limitations on possible password, you're actually removing entropy by narrowing the set. – Agent_L Oct 13 '14 at 14:42
  • 4
    @Agent_L True, but at 80 bits by adding two or three single case alphanumeric characters you are increasing the entropy by more than you are taking away. – Peter Oct 13 '14 at 15:05
  • By imposing limits you're not adding anything at all. Users already can use super-long passwords with uppercases and digits. – Agent_L Oct 13 '14 at 15:09
  • 2
    I am not imposing limits, I am suggesting a practice to make keying in passwords easier. Nobody has to agree with me. I prefer to build up to the same entropy with length rather than using special characters and the shift key. In that way I make fewer typing mistakes. – Peter Oct 13 '14 at 15:14
  • Ah, sorry, I assumed you're constructing a system and looking for best set of constraints to make passwords more secure. – Agent_L Oct 13 '14 at 15:19
  • No, just a humble password user. – Peter Oct 13 '14 at 15:28
  • 1
    possible duplicate of [XKCD #936: Short complex password, or long dictionary passphrase?](http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase) – avalancha Oct 14 '14 at 10:16
  • @avalancha I don't think so. This question has nothing to do with using dictionary words in passwords. – Peter Oct 14 '14 at 12:44
  • 1
    I'm not actually sure this is on topic here. Asking whether something is more secure is good here; something more user friendly might be better over on UX... – Rory Alsop Oct 14 '14 at 12:53
  • The sites requiring upper/lower case characters are the ones that I can never remember my passwords for, so at least in my case it's true. Does that make it more/less secure? Well, I get to reset my password each time I go to those types of sites, so it's changing periodically, but the reset procedure usually involves e-mail which is fairly insecure. Dunno. :-) – Brian Knoblauch Oct 14 '14 at 13:54
  • Given an entropy, the resistance to brut force will be the same. If you think it is better to narrow the possible charaters along with a longer passphrase, that's OK. The important parameter is entropy. Of course if your password include special characters, you must check your keyboard is suited to enter them (try to enter a currency character like € or ¥ when you change your keyboard). – Manu H Oct 14 '14 at 14:20
  • 1
    What's the question? – Relaxed Oct 15 '14 at 07:13

4 Answers4

21

If you want the password scheme to be most user friendly, then you got to let the user choose what he/she wants instead of enforcing such a limitation by second-guessing what the user might prefer.

Every human is unique. Some may prefer a short complicated password that can be entered quickly by virtue of pure muscle memory while others may prefer a passphrase that can be stringed into a song.

I think developers should respect that instead of trying to fit us all into a mould.

Question Overflow
  • 5,250
  • 6
  • 27
  • 48
  • I agree completely. But it took me a long time to understand entropy, measure it and then try to work out what was easiest for me. All I want to do is share what I have found out for myself in hope that others might find it useful. – Peter Oct 13 '14 at 14:10
  • I think this is why many sites simply have password strength meter on the signup page. To guide people without restricting them. After all most website Terms & Conditions absolve the site of end-user security lapses anyway. – LateralFractal Oct 14 '14 at 14:31
11

17 random single-case alphabetic characters have the same entropy, and are even easier to remember and type.

Mark
  • 34,513
  • 9
  • 86
  • 135
  • 2
    +100. I actively loathe corporate password filters. Humans can remember entropy better as long passphrases than short dyslexic strings. If a company has real problem with password security, buy OTP or proximity hardware dongles or fingerprint scanners. – LateralFractal Oct 13 '14 at 09:27
  • 4
    @LateralFractal. Let us say you have strong password of 16 random alphanumeric characters: i.e. over 80 bits. Unless there is something strange about you, you will need to write the password down to remember it, and need to keep a copy somewhere for easy access. The danger is that someone, but probably not a skilled hacker, will find the paper. The solution is to have a memorable prefix to your 16 random alphanumeric characters, which you DON’T write down. E.g. EASTERBUNNYg6hi5yt4dw37j9rx. – Peter Oct 13 '14 at 09:43
  • @Mark Or, arguably, 25 numerals written down in five groups of five. But I will stick with 16 single case alphanumeric characters. – Peter Oct 13 '14 at 10:14
  • 2
    Or four random common words: https://xkcd.com/936/ explained at http://www.explainxkcd.com/wiki/index.php/936 – Webveloper Oct 13 '14 at 11:27
  • @Webveloper Which is weak against dictionary attacks. – Kjeld Schmidt Oct 13 '14 at 13:10
  • 4
    @KjeldSchmidt Surprisingly no. Please read http://www.explainxkcd.com/wiki/index.php/936. After all, a word has a larger glyph space than a letter. – LateralFractal Oct 13 '14 at 13:21
  • The only non-trivial passwords I have outside a password manager are grammatically unsound sentences with a few numbers thrown in. Easy to remember, never need replacing and will take between next ice age and the sun's career as a white dwarf to brute force. It's those $5 Walmart wrenches I'm worried about. – LateralFractal Oct 13 '14 at 13:39
  • 1
    @KjeldSchmidt Definitely not. Let's assume the vocabulary size of humans is in the ballpark of 20k words. Four random words have an entropy of 60 bits which would take the fastest single core processors ~50 years to process. (20000^4/10^8 AES-256 ops per second/60/60/24/365) – vee_ess Oct 13 '14 at 14:53
  • @LateralFractalI suppose if remembering the password without writing it down is important, and you are using a standard keyboard then something like this will work. &I7saW5A8reDwinD7smellinG2furiouslY9oF6turnipS& - you remember the & at the start and finish, the phrase “I saw a red wind smelling furiously of turnips” the capitalisation of the final letter of all the words and the number 7587296 (the neighbour’s phone number when you were a kid) instead of spaces – and gosh nobody will crack that! – Peter Oct 13 '14 at 14:59
  • Jesus christ, people. 20 hexadecimal characters. It's not that hard to remember a couple of them, seriously, especially with muscle memory. And you can use a password manager with a strong passphrase, there. In my experience, a long password made up from a reasonably small alphabet is INFINITELY easier to remember than a short one made up from a huge alphabet. – Thomas Oct 14 '14 at 07:54
1

There is a trade off between:

  1. asking users to type short sentences or phrases, without the need for validation of upper case, non-alpha characters
  2. very short text strings with character complexity

Users will measure their experience as the %age hassle and success for typing their password in and you will have different results with different audiences and it is up to the system designer to work out what works best for the particular audience (although, I would say that no password at all is the best, but that's an answer to another question).

In banking, I had better success with using numeric passwords (awful entropy) than in a call centre were long phrases had the best success rates (I guess they were better at typing).

I would like to think that "the password" as a means of authentication has a limited shelf life.

Callum Wilson
  • 2,543
  • 11
  • 16
0

I wouldn't say it is more user friendly. Personally, I want fewer characters to remember, but I also hate artificial limits being placed on me. A more interesting approach might be to calculate the entropy of a users password and simply require a certain amount of entropy.

If the user does not enter anything other than lower case letters, it would require the most characters. If they include any upper case, numbers or punctuation, each of those classes of character would be applied to the length of the password to determine the amount of entropy.

This would leave it up to the user to decide if they want to have a longer alphabetic password or a shorter, more complex password. The only additional thing you would need to store for such a system would be a flag to say the password is not case sensitive if the same capitalization is used for the entire password. You could then do a string lower if the flag is set to ensure future entries are processed in the same way.

It does have the downside of making it less obvious what needs to be done, but a detailed error message could still be built, such as, "Your password is not yet secure enough, to make your password more secure, consider adding 3 punctuation, 1 upper case letters, 2 numbers, 6 more lower case letters, or try some subset of those. Be sure to spread them throughout the password." This would let the user know examples of what needs to be added to get sufficient entropy.

It does also have the downside that users are likely to just append them to the end, which is less secure than if they were spread throughout, but the problem of users choosing bad passwords is as old as information security.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
  • I am not trying to limit anything: people can do whatever they want in composing passwords. I am just suggesting that a single case alphanumeric password is easier to type on the keyboard without making mistakes. The cost for that ease, at 80 bits of entropy, is the addition of three extra characters. – Peter Oct 14 '14 at 14:25
  • @Peter - right, I'm agreeing that a longer password with less complexity is fine and may be more usable for some. Practically though, we don't want to require a 13 character password if the user prefers to use special characters and we can't only require 8 characters without checking the complexity or they might just enter an 8 character lower case password. I was proposing a way of checking the complexity while still allowing the user to use whatever type of password they prefer. – AJ Henderson Oct 14 '14 at 14:27
  • I have not seen an entropy measurement program on the net. Most password strength measurement tools on various sites don't seem to perform very well. We should ask a hacker or the NSA to provide one for us! – Peter Oct 14 '14 at 14:40